Deniable encryption, introduced in 1997 by Canetti, Dwork, Naor, and Ostrovsky, guarantees that the sender or the receiver of a secret message is able to “fake” the message encrypted in a specific ciphertext in the presence of a coercing adversary, without the adversary detecting that he was not given the real message. Sender  side deniable encryption scheme is considered to be one of the classification of deniable encryption technique which defined as resilient against coercing the sender. M. H. Ibrahim presented a sender – side deniable encryption scheme which based on public key and uncertainty of Jacobi Symbol
[6]
. This scheme has several problems; (1) it can’t be able to derive the fake message
M_{f}
that belongs to a valid message set, (2) it is not secure against Quadratic Residue Problem (QRP), and (3) the decryption process is very slow because it is based dramatically on square root computation until reach the message as a Quadratic Non Residue (QNR). The first problem is solved by J. Howlader and S. Basu’s scheme
[7]
; they presented a sender side encryption scheme that allows the sender to present a fake message
M_{f}
from a valid message set, but it still suffers from the last two mentioned problems. In this paper we present a new senderside deniable publickey encryption scheme with fast decryption by which the sender is able to lie about the encrypted message to a coercer and hence escape coercion. While the receiver is able to decrypt for the true message, the sender has the ability to open a fake message of his choice to the coercer which, when verified, gives the same ciphertext as the true message. Compared with both Ibrahim’s scheme and J. Howlader and S. Basu’s scheme, our scheme enjoys nice two features which solved the mentioned problems: (1) It is semantically secure against Quadratic Residue Problem; (2) It is as fast, in the decryption process, as other schemes. Finally, applying the proposed deniable encryption, we originally give a coercion resistant internet voting model without physical assumptions.
1. Introduction
O
ne of the central goals of cryptography is protecting the secrecy of a transmitted message. The secrecy property of an encryption scheme is usually formalized as semantic security
[1]
, which guarantees that an adversary cannot gain even partial information about an encrypted message.
The notion of semantic security has proven to be very useful in a large number of applications. However, there are some scenarios where semantic security is not sufficient. For example, semantic security does not ensure message secrecy if the adversary can coerce the sender or the receiver of a message to reveal the secret keys and/or the randomness that was used to form an encryption. Specifically, semantic security does not prevent an encryption scheme from being committing, in the sense that if an adversary sees a ciphertext and then tries to coerce the sender to reveal all of the input to the encryption (i.e., both the message and the randomness), any inputs that the sender can reveal that are consistent with the ciphertext must reveal the true message encrypted. In fact, many encryption schemes have only one set of possible inputs per ciphertext.
This committing property of encryption can be problematic in applications such as electronic voting
[2]
or keeping information secret when facing a coercer using physical force, or in the case of secure multiparty computation in the presence of an adaptive adversary
[3]
.
Suppose that Eve has two children: Alice, who is away at college, and a young Bob, who still lives at home. The siblings are planning a surprise party for Eve, so to keep their plans secret; they communicate using publickey encryption. Eve, however, has taken note of their encrypted communications and grows suspicious.
Using her inherent parental authority, she demands that Alice and Bob reveal their secret decryption keys, as well as any of the encryption randomness they might have retained. Is there any way for Alice and Bob to comply, without spoiling the surprise? The answer seems to be obviously no: using the secret keys, Eve can simply decrypt their messages and learn about the party.
However, the above argument misses a subtle point: if Alice and Bob are able to produce alternative keys and randomness that are consistent with their ciphertexts so far, then they might be able to fool Eve into thinking that they are communicating about something else (or at least not alert her to the party). A scheme that makes this possible is said to be deniable, a notion formally introduced by R. Canetti et al.
[4]
. (Deniability is related to, but different from Benaloh and Tuinstra’s notion of uncoercible communication
[5]
, in which a sender is able to undetectably indicate to a receiver than he is being coerced to send a particular message.)
Deniable encryption allows a party to escape coercion. Namely, it allows the sender to produce a ciphertext
C
that looks like an encryption of a true message
M_{t}
and as an encryption of a fake message
M_{f}
. Both messages are chosen by the sender. While the receiver is able to decrypt
C
for
M_{t}
, the sender is able to open either
M_{f}
or
M_{t}
to a coercer when verified, produces the same ciphertext
C
. Deniable encryption maybe classified into categories based on which parity is coerced: a senderside deniable scheme is resilient against coercion of the sender to produce his secret information, and receiver side deniable scheme is analogous to the previous, but in this case the coercion is on the receiver.
Deniable encryption is very useful in the protocols where coercive adversaries come to play as a potential threat. For example, deniable encryption protects voters from being coerced during electronic elections
[7
,
8]
. It is also very useful to protect bidders in electronic auctions.
Generally, deniable encryption is very important when a party is forced to act with a gun pointing at his/her head.
We distinguish two types of deniability according to the time of coercion: planaheaddeniability and unplanned deniability. In planahead deniability, the sender chooses his fake message during encryption based on what the coercive adversary previously commanded him to do. In unplanneddeniability, the sender must be able to generate the fake message after transmission whenever a coercive adversary approaches him. Our proposed method is of the later type i.e. we assume that the coercer approaches the sender after transmission and the sender must be able to open any message satisfactory to the coercer.
M. H. Ibrahim in
[6]
presented a method for sender side deniable encryption based on public key and uncertainty of Jacobi Symbol. This scheme is suffered from several problems; it can’t be able to derive the fake message M
_{f}
that belongs to a valid message set, it is not secure against Quadratic Residue Problem (QRP)
[10]
, and the decryption process is very slow because it is based dramatically on square root computation until reach the message as a Quadratic Non Residue (QNR). Some applications such as internet voting protocol, electronic bidding and auctions, where the number of users is very large, require fast decryption to complete the authintication process between sender and reciver before sending the required data. This process must take a minimal time since the final dicision for electronic bidding for example is depends mainly on the data sent from users electronically. Also, the authentication and digital signature processes in wireless network specially in wireless sensor network take along time as well as consume very high power for sensor devices if we use atraditional encryption scheme or the current deniable encryprion schems to secure the required data.
J. Howlader and S. Basu
[9]
presented a sender side encryption scheme that solve the first mentioned problem of Ibrahim’s scheme which allows the sender to present a fake message M
_{f}
from a valid message set.
Unfortunately, J. Howlader and S. Basu’s scheme still suffers from the reset of Ibrahim’s scheme problems; it is not secure against Quadratic Residue Problem (QRP) and the decryption process is very slow due to it is based dramatically on square root computation until reach the message as a Quadratic Non Residue (QNR).
In this paper we present a new senderside deniable publickey encryption scheme which is semantically secure against QRP. Moreover, we will show that our scheme is as fast, in the decryption process, as both Ibrahim’s scheme and J. Howlader and S. Basu’s scheme .
Also, we develope a secure internet voting model based on the proposed deniable scheme is originally developed.
The paper is organized as follows: Section 2 describes the related work in the field. Our motivations and contributions are given in Section 3. Section 4 describes the preliminaries and the notion of deniability. In Section 5 we present the proposed deniable encryption with its encryption and decryption techniques. We present the running time of the proposed scheme in the Section 6. Section 7 desribes internet voting protocol using the proposed scheme. Implementation data of the proposed scheme is presented in Section 8. Finally, the conclusions are given Section 9.
2. Related Work
More recently, O’Neill, Peikert, and Waters
[11]
announced a flexible bideniable encryption scheme with negligible deniability based on lattice assumptions. We view this latter work as orthogonal to our own: it is noninteractive and achieves deniability for both sender and receiver simultaneously, but the construction uses in an essential way the fact that there are different honest and dishonest encryption algorithms. the work in
[3]
described a general multiparty computations allowing a set of players to compute a com mon function of their inputs with the ability to escape a coercion.
Canetti et al.
[4]
also constructed a flexible (i.e., twoalgorithm) senderdeniable encryption scheme with negligible deniability. The work in
[5]
also notified that in order to build oneround schemes, different approaches are required. Also it introduced techniques for the less challenging, deniable sharedkey encryption and showed that the onetimepad is a perfect deniable sharedkey encryption. Based on the senderdeniable publickey.
Ibrahim
[6]
devises a senderdeniable publickey encryption based on quadratic residuosity of a composite modulus and showed how to device a senderdeniable publickey encryption from any trapdoor permutation. He supposes that s is generated and used on the fly to reach a QNR value in . He supposes that the program does not store s anywhere on the system since it is not part of the encryption pattern.
3. Motivations and Contributions
 3.1 Motivations
Deniable encryption offers exactly the missing part. Given a ciphertext, publickey, all secret knowledge, and an alternative message, the sender and/or receiver is able to compute alternative secret knowledge (i.e., encryption algorithm randomness or secret key). The alternative secrets are required to be indistinguishable from honest secrets while delivering the alternative message.
The main motivation of deniable encryption is coercion resistance. A powerful adversary may demand secret key and encryption randomness for the intercepted communication. Deniable publickey encryption is a strong primitive, essential in all cryptographic protocols where a coercive adversary comes to play with high potential. Deniable publickey encryption is a very important attribute in some applications such as electronic voting, electronic bidding and auctions.
Deniable encryption has an impact on the design of adaptively secure multiparty computations
[3]
since, the notion of deniability is stronger than the notion of noncommitting encryption.
 3.2 Contributions
The contributions of this paper are to introduce an efficient senderdeniable publickey encryption scheme. We introduce two versions of our scheme. The first scheme for single bit encryption while the second scheme is for multibit message encryption. The main contributions of this paper are described as follows:

• An efficient senderdeniable encryption scheme is proposed. Our proposed scheme enjoys the following properties:

 It is a onemove scheme without any preencryption information required to be sent between the sender and the receiver prior to encryption.

 No preshared secret information is required between the sender and the receiver.

 Achieves a deniability equivalent to the factorization of a large twoprime modulus

 semantically secure against QRP.

 The decryption process is very fast compared to other related scheme.

 The less overhead in term of the size of the ciphertext.

• A secure internet voting model based on the proposed deniable scheme is originally developed. The internet voting model have the following properties:

 The model is coercionresistance.

 Coercionresistance is implemented without physical assumptions.
4. Preliminaries
In this section we first describe the notion of deniability and then we introduce the quadratic residuosity of a composite in some details as it represents the basic primitive of the schemes presented in this paper.
 4.1 Definition 1:
Let
n
∈
N
be a security parameter. An efficiently computable protocol π between two parties
S
and
R
(sender and receiver, respectively) is called a senderdeniable public key bit encryption scheme if the following three conditions are satisfied:
•
Correctness:
The probability that the receiver output is different from the sender input is negligible.
•
Security:
For any two different messages
M_{t}
and
M_{f}
, the communications for transmitting
M_{t}
are computationally indistinguishable from the communications for transmitting
M_{f}
.
Deniability:
The adversary’s view of an honest encryption of
M_{t}
according to protocol π is indistinguishable from the adversary’s view when the ciphertext was generated while transmitting
M_{t}
and the sender falsely claims that it is an encryption of
M_{f}
.
 4.2 Definition 2: Quadratic Residuosity
The proposed scheme is based on the quadratic residuosity problem
[1
,
9
,
10]
, of a composite
n
, which is a product of two distinct primes
•
Basic definitions:
For an integer
a
∈
is a quadratic residue modulo n, if there exists some
X
∈
such that
a
≡
X
^{2}
mod n
. We denote
a
∈
Q_{n}
. Otherwise a is quadratic nonresidue modulo n and denoted as
a
∈
Define
⊂
to be the subset of all integers such that for any
a
∈
, the Jacobi symbol
= +1 and define
⊂
to be the subset of all integers such that
a
∈
, the Jacobi symbol
= 1. We have
Q_{n}
⊂
.
 4.3 Definition 3: Computing Composite Residuosity Classes
Let
g
be some element of ℤ
^{*}
_{n2}
. the computational problem Class [n] defined as follows: given
ω
∈ ℤ
^{*}
_{n2}
and
g
∈ ℬ, compute ⟦ω⟧
_{g}
.
Lemma 1
. For any
u
∈
S_{n}
, where
S_{n}
is the multiplcative supgroup of integer modulo
n
^{2}
and
S_{n}
= {
u
<
n
^{2}

u
= 1
mod n
}, function L is defined as ᗄ
u
∈
S_{n}
L
(
u
) =
Lemma 2
. For any
ω
∈ ℤ
^{*}
_{n2}
, L(
ω^{λ}
mod n
) =
λ
⟦
ω
⟧
_{n+1}
mod n
5. The Proposed Scheme
In this section we propose our scheme for both single bit and multiplebit message. Firstly, we introduce the proposed scheme for 1bit message, and then we extend our work for multiplebit message. In this scheme, the receiver choose two large prime numbers
p
and
q
. Then, he compute
n
=
pq
as the reciever’s publickey while
p
and
q
as the receiver’s privatekey. Our scheme is based on probabilistic encryption method
[10]
.
 A. Single bit deniable encryption scheme.
Let
b_{t}
be the true bit to be encrypted while
b_{f}
be the fake bit. Then, the procedure of the proposed scheme is done as follows:
Encryption:
the sender proceeds as follows:

•Honest Encryption (bt=bf)

 Selects two primep,qandnwheren=pq.

 Selects a bit streamyofkbits, whereyis QNR..

 SelectsX∈at randome.

 To negotiate y between the transmitter and receiver without any obscurity; the sender does the following:

Method Iif theithbit is 0 (i.e,= 0), computesa=X2mod n.

Method IIif theithbit is 1 (i.e,= 1), the sender computesa=yX2mod n, such thata∈

 To ensure that the receiver is able to distinguish whetherX∈QNorX∈as well as to allow the receiver to stop at the correct QNR which is y in our scheme, we should use a strong hash function H with an output bitlength L as follow:

▪ The sender pickse∈R{0,1}, sets andRe=H(y) andR1e∈R{0,1}ℓ.

▪ Randomly selects 0

 Scans the binary representation of y for an index i such that=bt=bf.

 Sends (i,C,R0,R1) to the receiver.

•Dishonest Encryption (bt=f).

 Selects two primep,qandnwheren=pq.

 Selects a bit streamyofkbits, whereyis QNR..

 Picks two small integers 0 < (r1,r2)

 Computesy1=gy+nr1mod n2.

 Scans the binary representation of bothyandy1such that=btand=bf.

 ComputesC=gy1+nr2mod n2.

 Pickse∈R{0,1}, setsRe=H(y) andR1e=H(y1).

 Sends (i,C,R0,R1) to the receiver.
Decryption:
the receiver decrypts the received message (
i
,
C
,
R
_{0}
,
R
_{1}
) starting with
C
. Then, the receiver keeps on computing
y modulo n
until he reches
mod n
as a QNR in
satisfying either
R
_{0}
=
H
(
y
) or
R
_{1e}
=
H
(
y
_{1}
), where 1 ≤
a
≤
λ
and
λ
=
lcm
(
p
 1,
q
 1) . Hence, the receiver decrypt of
as the encrypted bit
b
.
•
Proof of security for our scheme.
Opening an encryption.
To open an encryption honestly, the sender reveals
y
. To open dishonestly, the sender reveals
y
_{1}
and claims that
R_{e}
is a random string.
Security.
For any
b_{t}
,
b_{f}
∈ {0, 1}, the communications between the sender and receiver for transmitting
b_{t}
is indistinguishable from that for transmitting
b_{f}
.
Correctness.
In the decryption process, on the reception of (
i
,
C
,
R
_{0}
,
R
_{1}
), the receiver (starting from C) keeps on computing y. After each computation, he,(i) discards the two roots in
(ii) hashes the QNR root in
to see whether it matches either R
_{0}
or R
_{1}
. If a match is found, he stops and takes this QNR as y. Otherwise, he continues computing of the QR
and repeats (i) and (ii). Hence, correctness follows immediately.
Deniability proof in presence of coercer.
In case of senderside coercion, the sender reveals
y
_{1}
dishonestly to the coercer. The sender is able to convince the coercer, that a bit
= 0, whereas the truth is
= 1 . To do this, the sender would say that
a_{j}
for 0 ≤
j
≤
t
 1 are random selection from
, that is, randomly selected using Method I, whereas
a_{j}
is selected using Method II. However, sender cannot open a bit
= 1, whereas the truth is
= 0. So, in case of coercion the sender would flip a bit
= 1 to 0 by dishonestly opening
y
_{1}
.
On the other hand, the sender falsely claims that
y
_{1}
is a QNR and
b
_{i}
^{(y1)}
is the encrypted bit. As
a_{j}
is from
and the coercer does not know the prime factors of
n
, the coercer automatically accepts this claim since he cannot prove the contradiction, i.e., ha cannot prove that
y
_{1}
is a QR and that
R_{e}
is not random.
 B. multiple bits deniable encryption
In this section, we extend the single bit deniable encryption scheme to multibit deniable encryption scheme. Let
M_{t}
be the true message to be encrypted and let
M_{f}
be the set of all possible fake binary messages of
m
bits excluding
M_{t}
. We assume that
m
is no more than several bits. The cheme is described as follows:
Encryption:
the sender proceeds as follows:

•Honest Encryption (bt=bf)

 Selects two primep,q,p≠q.

 He setsn=pqas his publickey while keepingpandqsecret.

 Selects a pseudosquarey∈Zn(i.e.,y is QNR)

 Let messagembe a binary stringm=m1,m2, ... ... .ml

 Fori= 1 ... ... ...ldo:

➢ Selectx∈at random.

➢ Ifmi= 0, sender computesaj=mod n, whereXj∈, for 0 ≤j≤m 1

➢ Otherwise, he computesaj=ymod n.

 The sender scans the binary representation ofyfor an indexijsuch thatbij(y)=bj(Mt).

 To ensure that the receiver is able to distinguish whetherX∈QNorX∈as well as to allow the receiver to stop at the correct QNR which is y in our scheme, we should use a strong hash function H with an output bitlength L as follow:

▪ Letε= 2m 1. Defines stringsR0,... ... ..,Rε, selects a randomi≤ε, and setsRi=H(y), then, sets each otherRj≠i∈R{0,1}ℓ.

 Randomly selects 0

 Sends (im1,... ..,i0,C,R0,... ..,Rϵ) to the receiver.

•Dishonest Encryption (bt=f).

 Selects two primep,qandnwheren=pq.

 Selects a bit streamyofkbits, whereyis QNR .

 Picks two small integers 0 < (r1,r2)

 Computesy1=gy+nr1mod n.

 Scans the binary representation of bothyandy1such that

 Letε= 2m 1 be the number of stringsyj(i. e, each yjcorrsponds to a one fake Mf). Then, Defines stringsR0,... ... ..,Rε, selects a randomi≤ε, and setsRi=H(y), and sets each otherRj≠i∈R{0,1}ℓas a value ofH(y1).

 ComputesC=gy1+nr2mod n.

 Sends (im1,... ..,i0,C,R0,... ..,Rϵ) to the receiver.
Decryption:
the receiver decrypts the received message (
i
_{m1}
,... ..,
i
_{0}
,
C
,
R
_{0}
,... ..,
R_{ϵ}
) starting with
C
. Then, the receiver keeps on computing
y modulo n
until he reches
mod n
as a QNR in
satisfying that
R_{i}
=
H
(
y
) for any
i
= 0,... ...,
ϵ
. Hence, the receiver decrypt of
as the cleartext bits.
•
Proof of security for our scheme.
Opening an encryption.
To open an encryption honestly, the sender reveals
y
. to open dishonestly, the sender reveals
y
_{1}
and claims that
R_{ϵ}
is a random string.
Security.
Semantic security is immediate.
Correctness.
Immediate.
Deniability proof in presence of coercer.
In case of senderside coercion, the sender reveals
y
_{1}
dishonestly to the coercer. The sender is able to convince the coercer, that a bit
= 0, whereas the truth is
= 1. To do this, the sender would say that
a_{j}
for 0 ≤
j
≤
m
 1 are random selection from
, that is, randomly selected using Method I, whereas
a_{j}
is selected using Method II. Howerver, sender cannot open a bit
= 1, whereas the truth is
= 0. So, in case of coercion the sender would flip a bit
= 1 to 0 by dishonestly opening
y
_{1}
.
On the other hand, the sender falsely claims that
y
_{1}
is a QNR and
b
_{i}
^{(y1)}
is the encrypted bit. As
a_{j}
is from
and the coercer does not know the prime factors of
n
, the coercer automatically accepts this claim since he cannot prove the contradiction, i.e., he cannot prove that
y
_{1}
is a QR.
6. Running time of our scheme
In this section, we briefly analyze the main practical aspects of computations required by our scheme.
Key generation.
The prime factors
p
and
q
must be generating according to the usual recommendations in order to make n as hard to factor as possible. The most computationally expensive operation involved in decryption is the modular exponentiation C → C
^{α}
mod n
^{2}
O(n
^{2}
α). If is chosen in such a way that α = (n
^{ϵ}
) for some ϵ > 0, then decryption will only take O(n
^{2+ϵ}
) bit operations. On the other hand, the base can be chosen randomly among elements of order divisible by
n
. the whole generation may be made easier by carrying out computations separately
mod
p
^{2}
and
mod q
^{2}
and Chineseremaindering
g mod p
^{2}
and
g mod q
^{2}
at the very end.
Encryption.
Encryption requires a modular exponentiation of base
g
. The computation may be significally accelerated by a judicious choice of
g
. taking
g
= 2 allow an immediate speedup of whole encryption process. Optionally,
g
could even be fixed to a constant value if the key generation process includes a specific adjustment. At the same time, preprocessing techniques for exponentiation a constant base can dramatically reduce the computational cost.
Decryption.
Computing
L
(
x
) for
x
∈
Z_{n}
may be achieved at a very low cost (only one multiplication modulo 2
^{n}
) by precomputing
n
^{1}
mod 2
^{n}
. The constant parameter
L
(
g
^{α}
mod n
^{2}
)
^{1}
mod n
can also be precomputed once for all. On the other hand, decryption process uses Chinese Remainder Theorem (CRT)
[12]
which used to efficiently reduce the decryption workload of our scheme. Therefore, the decryption process can be made faster by separately computing the message mod p and mod q and recombining modular residues afterwards:
Where:

and

h_{p}
=
L_{p}
(
g
^{p1}
mod p
^{2}
)
mod p
and
h_{q}
=
L_{q}
(
g
^{q1}
mod q
^{2}
)
mod q

p
 1 and
p
 1 have to be replaced by
α
in the fast decryption.
7. Internet Voting Protocol using the proposed sender deniable encryption scheme
Deniable encryption scheme uses in many applications such as electronic voting protocol, protection against vote buying, auction protocol, secure mutliparty computation and deniable authentication process. This type of deniability is very common in internet voting protocol.
This section will describe how to express the idea of the internet voting protocol model using the proposed sender side deniable encryption scheme.
The proposed internet voting model includes three phases: preparation phase, registration phase and voting phase.
 7. 1 Preliminaries
In this section, we review some notations and assumptions that will be used in the proposed voting protocol.
 Notation 1

IDj: the identification of voterVj.

 A : authority which it is responsible for elections.

 Bt: authority which it is responsible for elections.

 BB : bulletin board.
 Assumption 1

 In order to express the idea clearly and simplify the model, we suppose there is only one authority.

 We use the proposed single bit deniable encryption scheme where the message set is {TRUE,FALSE} or eqivalent to {1,0}.
 • Preparation phase:

 Authority A and voter Vjgenerate the public and private keys according to the proposed sender deniable encryption scheme. The private keys of voter and authority are secret

 Authority generates the ballot Btand send Btand its digital signature to bulletin board denoted by BB.
 • Registration phase:

VoterVjfirstly registered to authorityAas followes:

 voter Vjcomputes C = gy+nrmod n2using the proposed sender deniable encryption scheme, where y=IDj. Then, voter sends (i,C,R0,R1) as his/her public key to authority A.

 authority A then decrypt the recived message using the proposed sender deniable encryption scheme to obtain y by satisfying that either R0= H(y) or R1e= H(y1).

 Once Authority A obtains the value of y, Authority A begins to register the voter Vjusing his/her identification (IDj).Fig. 1describes the registration phase.
Registering Phase
 • Voting phase:

 voter Vjchooses his/her favorite ballot Bt.

 voter Vjthen encrypts his/her credential using the proposed sender deniable encryption scheme and sends it to BB at the reciver.

 The reciever then decrypts the received message using the proposed sender deniable encryption scheme and verify the identification of the voter Vj.

 If the credential is not valid, the protocol is terminated, otherwise BB sends the verification message to voter Vjand ask him/her about his/her valid ballot.

 After voter Vjrecievs the verification message from BB, he/she sends the encrypted ballot, which contains his/her voting dicision, to BB which it accept the reciving voting and put it in its database.Fig. 2describes the voting phase.
Voting Phase
8. Implementation data of the proposed scheme
In this section we analyzing, evaluating, and compring among Ibrahim’s scheme, J. Howlader and S. Basu’s scheme and the proposed scheme in terms of the following evaluation parameters:

1. Running time of both encryption and decryption processes based on different values of modulusn.

2. Computation time.

3. Memory usage.
In order to demonstrate the improved efficiency of our scheme, we implemented this scheme on Intel(R) Core(TM) i3 CPU, M370 @ 2.40 GHz with 4 GB RAM using C# programming language.
We implementing six different sizes of the modulus (
n
), namely at
n
= 200,
n
= 400,
n
= 600,
n
= 800,
n
= 1024, and
n
= 2048 bits For each value of the modulus (
n
), the modular multiplication of bit size n is taken as the unitary operation. We assume that the execution time of a modular multiplication is quadratic in the operand size and that modular squares are computed by the same routine. The public exponent is taken equal to e = 2
^{16}
+ 1. The parameter
g
is set to in our main scheme. Other parameters,
secret exponents or messages are assumed to contain about the same number of ones and zeroes in their binary representation.
The five text files of different sizes are used to conduct five experiments, where a comparison of three algorithms is performed.
 8.1 Experimental Results and analysis for running time parameter
Experimental results of the running time for encryption and decryption algorithms for three schems are shown in
Fig. 3
to
Fig. 8
which show the comparison of three schemes using different values of modulus
n
.
comparison of encryption process for single bit/ honest encryption among Ibrahim’s scheme, J. Howlader and S. Basu’s scheme and the proposed scheme
By analyzing
Fig.3
and
Fig. 4
which show the time Taken for encryption process for single bit on various size of modulus
n
by three algorithms i:e Ibrahim’s scheme, J. Howlader and S. Basu’s scheme and the proposed scheme. It is noticed that, J. Howlader and S. Basu’s scheme consumes least time for encryption. Whereas Ibrahim’s scheme and the proposed scheme show very minor difference in time taken for encryption.
comparison of encryption process for single bit/ dishonest encryption among Ibrahim’s scheme, J. Howlader and S. Basu’s scheme and the proposed scheme
Fig. 5
shows the time taken for decryption process for single bit on various size of modulus
n
. It is noticed that the decryption time for Ibrahim’s scheme is the highest for all sizes of modulus
n
, while the proposed scheme takes the lowest decryption time for all sizes of modulus
n
.
comparison of decryption process for single bit among Ibrahim’s scheme, J. Howlader and S. Basu’s scheme and the proposed scheme
Similary, we take the same results when run our expremintal for both encryption and decryption processes for multiple bits. The simulation results are shown in
Fig. 6
,
Fig. 7
, and
Fig. 8
.
 8.1.1. Simulation Results
comparison of encryption process for multiple bits/ honest encryption among Ibrahim’s scheme, J. Howlader and S. Basu’s scheme and the proposed scheme
comparison of encryption process for multiple bits/ dishonest encryption among Ibrahim’s scheme, J. Howlader and S. Basu’s scheme and the proposed scheme
comparison of decryption process for multiple bits among Ibrahim’s scheme, J. Howlader and S. Basu’s scheme and the proposed scheme
 8.2 Experimental Results and analysis for computation time and memory usage parameters
In this section, we show the comparison among Ibrahim’s scheme, J. Howlader and S. Basu’s scheme and the proposed scheme in terms of computation time and memory usage.
The computation time means that the total time of encryption and decryption algorithms which be taken by those schemes at different sizes of files.
Experimental results are shown in
Table 1
, which shows the required comparison using five text files of different sizes.
Expremintal Results
By analyzing of
Table 1
we noticed that, the computational time taken by the proposed scheme is much lower compare to the time taken by Ibrahim’s scheme and J. Howlader and S. Basu’s scheme.
Also, we opservied that the memory usage for the proposed scheme is much lower than the memory usage for both Ibrahim’s scheme and J. Howlader and S. Basu’s scheme. Whereas Ibrahim’s scheme and J. Howlader and S. Basu’s scheme show very minor difference memory usage. The simulation results are shown in
Fig. 9
and
Fig. 10
.
 8.2.1. Simulation Results
comparison of computation time among Ibrahim’s scheme, J. Howlader and S. Basu’s scheme and the proposed scheme
comparison of memory usage by Ibrahim’s scheme, J. Howlader and S. Basu’s scheme and the proposed scheme
9. Conclusions
We proposed an efficient scheme for sender deniable encryption and it providing to both singlebit and multiplebit message encryptions. Based on this scheme we prove that our scheme is more secure over that proposed in
[6
,
9]
in the sense of deniability and decipherability. Moreover, our scheme is based on probabilistic encryption model and it enjoys the following properties:

• No preshared secret information is required between sender and receiver.

• Achieves a deniability equivalent to the factorization of a large twoprime modulus

• Semantically secure against QRP.

• The decryption process is very fast compared to other related scheme in[6,9]

• The less overhead in term of the size of the ciphertext.

• No extra computation is required for dishonest opening of y in presence of coercion.

• The proposed scheme has very low power cost compared with other related schems since it consume very low computation time and memory usage.

• A secure internet voting model based on the proposed deniable scheme is originally developed. The internet voting model have the following properties:

 The model is coercionresistance.

 Coercionresistance is implemented without physical assumptions.
Acknowledgements
The author would like to thank the anonymous reviewers of KSII for their valuable comments.
BIO
Tamer Barakat received his BSc in communications and computers engineering from Helwan University, Cairo; Egypt in 2000. Received his MSc in Cryptography and Network security systems from Helwan University in 2004 and received his PhD in Cryptography and Network security systems from Cairo University in 2008. Currently, working as a lecturer, post doctor researcher and also joining several network security projects in Egypt. His main interest is Cryptography and network security. More specially, he is working on the design of efficient and secure cryptographic algorithms, in particular, security in the wireless sensor networks. Other things that interest him are number theory and the investigation of mathematics for designing secure and efficient cryptographic schemes.
View Fulltext
Goldwasser S.
,
Micali. S.
1984
“Probabilistic encryption”
Journal of Computer and System Sciences
Preliminary version in 14th Annual ACM Symposium on Theory of Computing (STOC). Article (CrossRef Link)
28
(2)
270 
299
DOI : 10.1016/00220000(84)900709
Sako K.
,
Kilian. J.
(1995)
“Receiptfree mixtype voting scheme: A practical solution to the implementation of a voting booth”
Advances in Cryptology — EUROCRYPT ’95, Springer LNCS 921
Article (CrossRef Link)
393 
403
Canetti R.
,
Feige U.
,
Goldreich O.
,
Naor. M.
(1996)
“Adaptively secure multiparty computation”
STOC
Article (CrossRef Link)
639 
648
Canetti R.
,
Dwork C.
,
Naor M.
,
Ostrovsky. R.
1997
“ Deniable encryption”
CRYPTO
Article (CrossRef Link)
90 
104
Benaloh J.
,
Tuinstra. D.
1994
“Uncoercible communication”
Clarkson University
Technical Report TRMCS941
Article (CrossRef Link)
Ibrahim M. H.
2009
“A method for obtaining deniable PublicKey Encryption”
Trans. On International Journal of Network Security (IJNS)
Article (CrossRef Link)
8
(1)
1 
9
Cramer R.
,
Gennaro R.
,
Schoenmakers B.
1997
“A secure and optimally efficient multiauthority election scheme”
Eurocrypt ’97
Article (CrossRef Link)
103 
118
Hirt M.
,
Sako K.
2000
“Efficient receiptfree voting based on homomorphic encryption”
Eurocrypt ’00
Article (CrossRef Link)
539 
556
Howlader J.
,
Basu S.
2009
“SenderSide Public key Deniable Encryption Scheme”
in Proc. of International Conference on Advances in Recent Technologies in Communication and Computing
Article (CrossRef Link)
9 
13
Fuchsbauer G. J.
2006
“An Introduction to Probabilistic Encryption”
Osjecki Matematicki List
Article (CrossRef Link)
6
37 
44
O’Neill A.
,
Peikert C.
,
Waters. B.
(2010)
“Bideniable publickey encryption” Manuscript
Article (CrossRef Link)
Paillier P.
1999
“PublicKey Cryptosystems Based on Composite Degree Residuosity”
SpringerVerlag
Classes Advances in Computer Science – EUROCRYPT’99
Article (CrossRef Link)
223 
238